pmacct-discussion  

Re: [pmacct-discussion] pre_tag_map issue + questions

Zenon Mousmoulas
Mon, 08 Feb 2010 04:44:51 -0800

Hi Paolo,

On 08 Φεβ 2010, at 12:28 ΜΜ, Paolo Lucente wrote:


On Mon, Feb 08, 2010 at 10:37:54AM +0200, Zenon Mousmoulas wrote:


I have a netflow v9 feed to nfacctd from a juniper router (JUNOS
9.6R2.11), using a service pic. According to a packet capture, records 
include ingress and egress interface and they seem to be properly
defined in the corresponding template. I've tried to use the snmp
ifindex numbers in pre_tag_map keys, but they never match. Matching in pre_tag_map with other keys seems to work fine. Any ideas how to debug?
You can start by checking (ie. with Wireshark) whether the input/ output 
interface fields are part of the NetFlow v9 template other than the


I have. They are...


records. If it's in there, then i'd like to give it a look myself: i
would ask you to produce a trace and send it to me privately so that
i can have a look. We can then summarize findings here.


OK. I will send you the capture privately.
I also noticed that proto and ToS are not available as pre_tag_map keys. Any particular reason for that? DSCP matching would be handy in my case. 

For this task you can use a 'filter' keyword within the pre_tag_map,
which accepts a filter in libpcap syntax. Give it a try and let me
know.
OK, thanks, I will look into it. I had overlooked this, thinking that 'filter' only applied to pmacctd and not {nf,s}acctd. 




On a somewhat different note: the particular juniper can also export
ipv6 flows, using a different template. I've noticed it includes an
IP_PROTOCOL_VERSION (60) field in this template.
If we send the ipv6 feed to the same instance of nfacctd which receives 
the ipv4 feed, how can we tell apart ipv6 from ipv4 traffic if we're
doing AS aggregation? It would be handy to have an ip_proto aggregation 
primitive, or at least to be able to match by 'IPVersion' in a
pre_tag_map.


Sure. Once again you have to resort to a filter in libpcap format,
this time the 'aggregate_filter'. You can configure it as follows:

aggregate_filter[ip_traffic]: ip
aggregate_filter[ip6_traffic]: ip6
Alright. I was thinking towards a single plugin handling both, but I guess that should also work. Thanks. 

Cheers,
Z.


_______________________________________________
pmacct-discussion mailing list
http://www.pmacct.net/#mailinglists